PHANTOMPULSE: A Sophisticated, Blockchain-Driven Remote Access Trojan
Recent technical analysis has brought to light the complexities of PHANTOMPULSE, a highly sophisticated Remote Access Trojan (RAT) engineered for multi-stage intrusions within Windows environments. While previously identified as the final payload in an attack chain involving Obsidian plugin abuse and in-memory loaders, new findings reveal a much more dangerous post-exploitation toolkit designed for stealth and resilience.
PHANTOMPULSE is not a “script kiddie” tool; it is a professional-grade piece of malware that integrates advanced process injection, User Account Control (UAC) bypasses, and a decentralized, blockchain-based Command-and-Control (C2) architecture to maintain a low profile on compromised endpoints.
Advanced Evasion and Stealth Mechanisms
To evade modern Endpoint Detection and Response (EDR) solutions, PHANTOMPULSE employs several layers of technical obfuscation. Most notably, it utilizes direct system calls (Syscalls). By bypassing standard Windows API functions and communicating directly with the kernel, the malware effectively circumvents the user-mode hooks that security software relies on to monitor malicious activity.
The malware’s injection capabilities are equally diverse. Rather than relying on a single method, it deploys three distinct techniques tailored to the specific payload type being delivered:
- Module Stomping: Used for shellcode execution.
- Manual DLL Mapping: Utilized when deploying DLL payloads via the
ManualMapfunction. - Debug-Driven Execution (DbgNexum): A method derived from public proof-of-concept tools, used specifically for executing EXE payloads.
By injecting into legitimate system processes like explorer.exe or dllhost.exe, PHANTOMPULSE masks its presence, making it appear as routine system behavior to many monitoring tools.

AI-generated strings identified within the binary (Source: Elastic Security Labs).
Defeating Security Telemetry via Hardware Breakpoints
One of the most ingenious—and disruptive—aspects of PHANTOMPULSE is its method for disabling core Windows security protections. Instead of the traditional approach of patching code in memory (which is easily detected by integrity checks), the malware utilizes Hardware Breakpoints (HWBP).
By planting hardware breakpoints on specific API entry points, the malware intercepts execution at runtime. This allows it to spoof clean return values, effectively “blinding” the following security components without altering the underlying code:
- AMSI (Antimalware Scan Interface): Prevents script-based detection.
- WLDP (Windows Lockdown Policy): Bypasses code-trust enforcement.
- ETW (Event Tracing for Windows): Silences the telemetry that security teams use for incident response.

The hardware breakpoint setup function used to neutralize security telemetry (Source: Elastic Security Labs).
Decentralized Infrastructure: Blockchain-Based C2
Perhaps the most innovative feature of PHANTOMPULSE is its method of locating its controller. To avoid the pitfalls of static domains or IP addresses—which are easily blocked—the malware uses blockchain-based C2 resolution. It retrieves its C2 server address by inspecting transaction data on the Ethereum, Base, and Optimism networks.
The malware monitors a hardcoded wallet address and decrypts the “input” field of recent transactions to find the next command server. However, researchers have discovered a critical architectural flaw: the resolver does not validate the identity of the transaction sender. This oversight provides a unique opportunity for defenders to “sinkhole” the malware by submitting a single crafted transaction to the blockchain, effectively hijacking the communication channel.
Privilege Escalation and Persistence
To gain full control over a system, PHANTOMPULSE utilizes the “schuac” UAC bypass technique. By abusing COM interfaces such as IElevatedFactoryServer, the malware can spawn processes with high-integrity privileges without triggering the standard Windows user prompt.
Once elevated, it ensures long-term access through multiple scheduled tasks that trigger at system startup and user logon via rundll32.exe. The malware also features a “self-healing” capability, periodically checking for and automatically restoring any deleted components or registry keys.

The C2 command switch case handling different injection types (Source: Elastic Security Labs).
Threat Intelligence and Attribution
While PHANTOMPULSE performs extensive reconnaissance—targeting cryptocurrency wallets, messaging apps, and file transfer tools—this specific variant appears to act primarily as a staging platform rather than a direct theft tool.
Interestingly, the binary shows strong indicators of AI-assisted development. Debug strings and logging patterns exhibit a highly structured, verbose nature consistent with code generated by Large Language Models (LLMs).
The tactics, techniques, and procedures (TTPs) observed—specifically the focus on crypto-assets and the use of decentralized infrastructure—align closely with North Korean (DPRK) threat actors, such as BlueNoroff or UNC5342. This underscores a growing trend where state-sponsored groups blend cutting-edge decentralized technology with automated, AI-driven development to create highly resilient cyber-weapons.